Top 10 IT Audit Questions and Answers

Altius IT provides this list of the Top 10 IT Audit Questions and Answers to help you make the most of your IT security audit.

Q1: I am planning to have an IT audit.  What do I need to do to prepare for the audit? 
A: Identify the purpose of the audit.  Is it for peace of mind?  Did you experience a security breach? Is it to help you meet compliance requirements?  Did a customer request that you have a security audit? Security audits can help you identify, manage, and reduce your risks.  Prior to the audit, make sure you know your environment and where sensitive data is collected, stored, and transmitted.

Q2: What is the scope and cost of a typical engagement?
A: Every engagement is unique and the audit can be customized to your specific needs. In most cases, the cost of the audit is directly related to the size of your environment.  Identify in advance your Technical Safeguards: number of external network entry points (public IP addresses) to be assessed, the number of web applications/web sites to be audited, and your number of internal servers/devices to be evaluated.  If desired, the auditor can also review your Administrative Safeguards such as your policies, procedures, job descriptions, Incident Response Plan, Business Continuity Plan, Security Training and Awareness Plan, agreements with service providers, cyber insurance, etc.

Q3: Do I receive an Auditor Opinion Letter?
A: If a customer is requesting that you have an audit, you may want to provide your customer with an Auditor Opinion Letter in lieu of sending them a full audit report that could raise additional questions.  Let your auditor know prior to finalizing the engagement scope that you need an Auditor Opinion Letter.

Q4: What type of firm should I use for my IT audit?
A. For IT and cyber related engagements, you typically want to select a Certified Information Systems Auditor.  Certified auditors answer to  global certifying bodies so you are assured that their audits and recommendations are made under the highest level of quality, reliability, and thoroughness. Certified Information Systems Auditors have the knowledge and experience to evaluate your environment to help ensure your controls are sufficient and effective.  Auditors are bound by a Code of Ethics and, for your benefit, are independent and do not provide IT related services to your organization.  By being independent, the auditor does not have conflicts of interest and the auditor's recommendations are in your best interests.

Q5: Will the audit take up much of my staff's time?
A: Experienced auditors work quickly and efficiently.  They know your time is valuable and they minimize their impact on your time and your environment.  Prior to coming on-site, your auditor can evaluate your public network/IP addresses and review your Administrative Safeguards (policies, etc.) from a remote location.  By reviewing information in advance, the auditor is more knowledgeable about your environment prior to evaluating your internal network. 

Q6: Will my systems be impacted by the IT audit?
A: You may see some additional traffic as the auditor evaluates your systems.  However, experienced auditors use built in protection mechanisms so your systems are not flooded with traffic that can cause user response time delays.

Q7: How soon can the auditor get started?
A: Timing depends upon a variety of factors.  Let the auditor know if it is an emergency or if you have other time constraints.  In some cases the auditor will send you Worksheets that need to be filled out and returned to the auditor prior to the start of their work.  The auditor will also need time to assemble the appropriate staff for the engagement.  If travel is required, the auditor will need to make airline, hotel, car rental, and other arrangements.

Q8: What do I do once I receive the auditor's report?
A: Auditors will generally provide you with a prioritized list of recommendations so you can address the areas with the greatest risks.  In some instances the auditor's recommendations may be based on security issues.  In others, there might be compliance requirements. Review the auditor's findings with your management and IT staff and prepare an action plan with assigned responsibilities and expected completion dates.

Q9: What type of support will I receive after the IT audit?
A: Each engagement is unique, so prior to committing to an audit ask the auditor the type of support available once you receive your audit report.  Since the auditor needs to be independent, the auditor cannot assist with remediation or corrective action.  However, your auditor should be able to answer questions regarding the findings and recommendations.

Q10: How often should I have an IT audit?
A: New vulnerabilities are discovered on a weekly basis and hackers are constantly improving and enhancing their techniques.  In today's environment where security breaches are announced daily, most organizations have annual audits.  However, you may also want to have an audit immediately after a major change in your infrastructure or business processes.


Certified auditors can identify risk areas and make recommendations to secure systems. With the help of IT audits, organizations can better protect themselves and the sensitive information stored on internal networks.

Security Blog menu  

Tags: security audit | it audit | network security audit | security audit q&a | security audit questions and answers | security audit top 10



Certified Auditors

Certified Information Systems Auditors
Altius IT's auditors are certified to audit your systems and issue reports and opinions on your security. We help you identify, manage, and reduce your risks. Our comprehensive audit service uncovers gaps in your existing defenses so that you can better:

  • Fortify your network infrastructure
  • Comply with regulatory requirements
  • Protect your valuable assets

For a full list of our certifications please visit our About Us page.